“The companies behind these controversial tools are established members of the digital-advertising supply chain that provide an array of services, and their relationships with other industry participants should not be defined or determined with one broad stroke,” he added. “All-or-nothing proclamations and actions on this matter represent a dangerous over-simplification that’s creating conflict and putting the industry at risk. This face-off must be replaced with thoughtful and productive discussion recognizing the subtleties of the marketplace, the individual interests of businesses, and the true north that all parties invested in this discord and its resolution share: the desire to deliver value to consumers that is dependent upon trust, comfort and control over their privacy.”

We have taken Mr. Conroy’s admonitions to heart, not just
because he is a member of the
IAB’s Board of Directors, but because he is right. Conversation is better
than isolation; negotiations trump obstinacy; “win-win” is preferable to “you
lose.” So we were heartened when Mozilla executives started reaching out to
advertising, media, and ad technology industry companies, professing to want to
include them among the stakeholder groups whose opinions matter as Mozilla goes
about reconfiguring its Firefox browser, which controls
20 percent of the world’s access to the Internet.

Unfortunately, a review of Mozilla’s latest scheme for blocking
third party cookies shows it to be worse than its earlier proposals. While
Mozilla executives say they are taking in criticism from multiple stakeholders,
the company’s own statements and explanations indicate that Mozilla is making extreme
value judgments with extraordinary impact on the digital supply chain, securing
for itself a significant gatekeeper position in which it and its handpicked
minions will be able to determine which voices gain distribution and which do
not on the Internet.

The Cookied Web

Third-party
cookies are an essential part of the Internet content supply chain, and
date to the earliest days of the commercial Web, in the mid-1990s. Stored
inside a user’s Web browser, they help the browser remember the user’s previous
activity. While first-party cookies, as Wikipedia notes, “are cookies set with
the same domain (or its subdomain) as your browser’s address bar,” third-party
cookies “are cookies set with domains different from the one shown on the
address bar.”

Although third-party cookies have been controversial
mechanisms - their privacy implications, particularly the concern that they
could be used to maintain identifiable dossiers of consumers and consumer
activities, were subjects
of Federal Trade Commission hearings in 1996-1997 - they have been part of
the way Internet advertising has been delivered, measured, analyzed, optimized,
and compensated for more than 15 years. Were they to be embargoed tomorrow,
billions of dollars in Internet advertising and hundreds of thousands of jobs
dependent on it would disappear.

On June 19, Mozilla - which is both a nonprofit foundation
and a for-profit corporation - announced a new plan for blocking
third-party cookies in Internet content distribution. In collaboration with
Stanford University’s Center for Internet and Society, it said it would
establish a “Cookie Clearinghouse,” a body that would “develop and maintain an
‘allow list’ and ‘block list’ to help Internet users make privacy choices as
they move through the Internet.”

The Cookie Clearinghouse replaced Mozilla’s earlier concept
for controlling the use of third-party cookies: a patch to its Firefox browser
which essentially would have blocked all third-party cookies except those
specifically allowed by the user. After an uproar from Internet
advertising and retail organizations, including the IAB, Mozilla put that plan
on hold, announcing that it produced too many “false positives” and “false
negatives.” Specifically, it would block
third-party domains even if they share the same owner and operator as a primary
domain - an almost pure act of business interference - and failed to block
cookies on sites users went to by accident. Mozilla Chief Technology Officer
Brendan Eich said “the only credible alternative” to the blunt, poorly designed
Firefox patch was “a centralized block-list.”

Centralized solutions may, in fact, be necessary to improve
performance, user control, and the safety of the Internet advertising and media
supply chain.

We believe the “open source” Internet advertising supply
chain, while a foundation for enormous innovation, also introduces vulnerabilities
into the advertising and media ecosystem, and we are eager to work with
legitimate participants to improve the functioning and safety of this supply
chain. IAB already participates in several
such centralized solutions. A prominent one is the Digital Advertising Alliance’s
self-regulatory program for online behavioral advertising. This program
allows consumers to see how they are being tracked online and by which
advertising-related companies, and to selectively opt in and opt out of such
tracking. In February 2012, Jon
Leibowitz, the then-Chair of the FTC, called the DAA program “a significant
step forward.” Today, trillions of ad impressions
a year carry the DAA’s notification icon; millions of consumers have clicked on
it and visited the DAA’s Aboutads.info site; and hundreds of thousands have
opted in and out of various forms of targeting via the DAA program.

And just this week, the
White House praised another IAB initiative, our Quality Assurance
Guidelines, a centralized compliance program that, among other things, will
help combat the piracy of intellectual property in digital advertising
environments.

So our initial opposition to the new Mozilla announcement
was not based on hostility to centralized solutions. It was based on our skepticism
about Mozilla’s motives and with its ability to follow through on its
commitments.

Anti-Business Bias

Mozilla executives say they are not opposed to advertising.
Indeed, at the same time the organization is threatening to choke off the
ability of Long Tail publishers to monetize their advertising inventory, it is testing the market for a new advertising
product of its own - a suspicious confluence of events, to say the least.

But that aside, the company’s civic positioning and public
character are heavily freighted with antipathy toward advertising and the
commercial Internet. For example, Mozilla is the world’s largest distributor of
Adblock Plus, a browser add-on that impedes advertising delivery on the
Internet. Adblock
Plus boasts nearly 15 million Firefox users, and is the browser’s no. 1
add-on by far, with more than twice as many users as its no. 2 add-on, Video
Download Helper.

Like the piracy of music and movies online, ad blocking
appears to be a victimless endeavor, but in fact is a possibly illegal activity
that deprives a cascading chain of legitimate enterprises of income. In some
markets, Adblock Plus is responsible for stopping as much as 50 percent of
mainstream publishers’ ads, significantly harming their revenue stream. For
small publishers, the effect is devastating. Niero Gonzalez, the proprietor of
the gamer site Destructoid.com and a member of the IAB’s Long Tail Alliance,
says that half
his users are blocking ads. “This means we’re working twice as hard as ever
to sustain our company,” he has written.

When asked about this, Mozilla executives give a figurative
shrug and say they are merely responding to their users’ interests, and that
Firefox add-ons are community contributions, about which Mozilla does not pass
moral judgments. But of course, this is,
at best, a rationalization, and perhaps wholly disingenuous. Like all
organizations, Mozilla makes choices and passes judgments every day, which
reflect the organization’s values. Mozilla’s active, prominent promotion of
Adblock Plus suggests a value system hostile to advertising and the businesses
and people dependent on it. If the organization felt strongly about the
economic impact of ad blocking on small Web publishers and retailers, it could
curb it - or at least cease aiding and abetting it.

An organization’s values also are represented by those with
whom it chooses to associate. Here again, Mozilla’s values reflect an aversion
toward advertising and the consumer economy to which it is central. The Cookie
Clearinghouse launched by Mozilla with Stanford is led by Aleecia M.
McDonald, the Director of Privacy at Stanford’s Center for Internet and
Society. Dr. McDonald co-chaired the Worldwide Web Consortium’s Tracking
Protection Working Group, a body that was supposed to join stakeholders from
industry, academic institutions, NGOs, and regulators in developing standards
for browser-based mechanisms to enable users to opt out of tracking. Dr.
McDonald’s leadership of the group was widely perceived as unsuccessful, in no
small part because of her Manichaean point of view that pits privacy interests
against business interests, and her impatience with alternative perspectives on
the W3C Task Force. Last July, for
example, she said, “Whatever standard the W3C produces will put a number of
third parties out of business, but that is okay because that will be a good day
for privacy.” Only since her
departure from the W3C has the body managed to struggle closer to a consensus
standard.

Dr. McDonald’s insensitivity was on display again last month,
when she chose an anti-business extremist for the Advisory Board of her
Clearinghouse - Jonathan
Mayer, the Stanford graduate student who designed the cookie-blocking
patch, and whose intemperate public opposition to the ad industry,
consensus-generating processes, and stakeholder negotiations led Mozilla, in a
May industry forum, to publicly
disavow its connections to him. That Mozilla would subsequently turn to such
people to lead a body that will make decisions regarding the life and death of
businesses is an indication of the organization’s indifference to the economic
stakes involved in its efforts to unilaterally reconfigure the Internet
advertising supply chain.

But at least as telling as the presence of anti-business
radicals on Mozilla’s “cookie court” is who and what is absent. There are no
publishers on it - the people whose livelihoods depend on the sale of digital
advertising. There are no executives from ad networks - the companies that are
almost solely responsible for helping small publishers earn any income. There
are no executives from brand marketers, ad agencies, retailers, e-tailers, or
ad technology companies - not a single representative from an ecosystem responsible for creating
5.1 million jobs in and contributing $530 billion annually to the U.S.
economy.

In light of this criticism, Mozilla may lean on Stanford to
change the composition of its Cookie Clearinghouse, but that alone cannot
change the character or complexion of Mozilla or the Stanford Center for
Internet and Society, which appear to be those of elitist organizations that
hide under the shield of populism to make value judgments about who is worthy of
earning a living in the digital age.

The Atomized Individual

We saw this anti-business value system reflected again in
the operating details Mozilla has begun to unveil for its Cookie Clearinghouse.
These specifics have been doled out sparingly in blog posts and in a sparsely
attended discussion
Mozilla convened on July 2 at its San Francisco headquarters.

At first blush, Mozilla’s ideology seems inarguable. “We
simply believe that when personal data is collected to deliver these
[personalized Internet] services, the collection should be done respectfully
and with the consent of the consumer,” the company said on its
Mozilla Blog on May 10. Its decision to block third-party cookies by
default was made “to strike a better balance between personalized ads and the
tracking of users across the Web without their consent.”

Seemingly benign, Mozilla’s ideology is weighted down with
counter-historical presumptions. The entire marketing-media ecosystem has
subsisted on purchase-behavior data and other forms of research being available
without individuals’ consent. R.L. Polk &
Co. receives automotive ownership data from some 240 sources, including
state governments, auto manufacturers, and financing companies, to create
profiles of nearly every vehicle on the road and the people driving them. This
data has been central both to the health of the auto industry and to
improvements in cars, driving, and auto safety over the years.

U.S.
Census data, too, is a foundation of U.S. economic development. The U.S.
Census Bureau maintains a site full of case studies describing how this most
personalized data source of all can be used by businesses that want to “gauge
the competition,” “calculate market share,” “locate business markets,” “design
sales territories and set sales quotas,” and engage in myriad other activities.
Not only is this use of anonymous, personal data central to the American
economy - it is protected by the U.S. Constitution.

Were such sources of data suddenly to become unavailable -
or if they were to shift from default-available to default-closed - whole
industries would suffer, and along with them the people they employ and the
communities in which they operate.

This is exactly what Mozilla is proposing to do - and what
its self-styled libertarian patrons are (paradoxically) urging it to do.

Words like “privacy” and “respect” seem incontestably clear
and insistent. Yet they have no single meaning. They are social constructions -
and different social constructions have different trade-offs, one of which is
the diversity of content, and ideas, on the Internet.

At this moment in the evolution of the Internet, third-party
cookies are the technology that makes small publishers economically viable.
Their elimination will concentrate ad revenues in a shrinking group of giant
media and technology companies. It is incumbent on Mozilla, which claims to
defend openness and diversity on the Internet, to reconcile its public values
with the diminution in diversity that is bound to occur from its proposed
actions.

The Mozillan Ideology

There are four major ideological presumptions underlying
Mozilla’s decision to block third-party cookies through its Cookie
Clearinghouse:

It presumes that blocking third-party cookies by
default is better than allowing them by default.

It presumes that an Internet supply chain
dependent on a centralized clearinghouse will continue to operate
equitably.

It presumes that human involvement only during counter-challenges
to the Clearinghouse’s decisions is reasonable and scalable.

It presumes that the establishment of a
centralized body to determine which third parties should be exempt from this
default behavior is consistent with Mozilla’s mission.

All of these presumptions are questionable.

Blocking third-party cookies by default is neither better nor worse than allowing them by default- but it does reflect a value judgment which affirms that the sanctity of the individual, in any way he or she chooses, transcends all other values, including important functions of civil society.

Consider, for example, the role of commerce - the freedom to engage in which was a fundamental spark to the American Revolution. Although it may not be as apparent as when a customer enters a physical store, visiting a web site is a commercial act, during which a value exchange occurs. Consumers receive content, and in exchange are delivered advertising. The value of the delivered ad is currently calculated based on two essential points of data - where the ad is being delivered, and to whom. By blocking third-party cookies by default, Mozilla is turning off the anonymized but behaviorally relevant “who” signal, thereby reducing the value of most ads. The user effectively has been granted a right to engage in a commercial transaction without anyone knowing anything about that transaction, including the other party to the transaction. This social decision carries costs. By reducing the value of advertising, consumers and businesses will shoulder higher prices, in the form of more ads, more intrusively delivered. Or they will pay more for content. Or they will be asked for more explicitly personal information in return for the content.

The same would be true if another source of prevalent, anonymized, personal data - bar codes and retail scanners - was suddenly embargoed. Costs in the retail supply chain would skyrocket, as stores, distributors, and manufacturers struggle to maintain optimal stocks of goods. No one would benefit - margins would decline everywhere, and consumer prices would rise - but the worthiness of the individual, and his freedom from intrusive inspection of his anonymized toothpaste purchases, would be sanctified.

As the internet becomes further entrenched in modern life, assuring sufficient consumer control grows in importance. Yet simply flipping a default preference for all consumers does nothing to empower them. Instead, it degrades the opportunities businesses have for delivering conveniently available high quality content, and it promises to raise various kinds of consumption costs on consumers.

Social costs also factor into the equitability of Mozilla’s
proposal for a centralized Cookie Clearinghouse. At this time, Mozilla hasn’t
made clear the formats for its proposed “block-list” and “accept-list.” The accept-list is to contain a list of third
parties that are exempt from the blanket ban on third-party cookies. This accept-list
has two possible implementations of which we are aware:

It could list the domains that are allowed to
use cookies in athird party context. For example, “XYZ can set cookies ina
third party context.”

It could list the domains that are allowed to
use cookies in athird party context, and specify which domains on
which they are allowed to do so. For
example, “XYZ can set cookies inthird party context, but only on
ABC and DEF.”

The first possible implementation introduces a fixed cost to
anyone who would want to use third-party cookies for any reason. This cost would have a higher proportional
impact on smaller players, thereby increasing the barriers to entry for new
competition. Depending on the criteria
used to evaluate exceptions, this may block several existing business models -
those of advertising networks and data brokers, certainly, but also such
functions as web analytics, on-page social sharing buttons, and other
widgets.

The second possible implementation introduces significant scaling
costs to anyone who would want to usethird-party cookies. It will definitely block social widgets,
“share” buttons, “like” buttons, and any other popular business model that
depends on user interactions with cookies while the user is away from the
first-party “proprietor” site. At best,
the centralized clearinghouse skews towards the incumbent, reducing the
opportunity for small innovators to gain a foothold and compete. At worst, it completely eliminates certain
business models.

Another troublesome, complex, and socially costly feature of
Mozilla’s Cookie Clearinghouse involves the use of human intervention to
determine which cookie-settings are acceptable and which are not. As currently
drafted, the clearinghouse proposes an automated handling of most requests
through a “challenge” process, and a manual handling of any contested request
through a “counter-challenge” process.
This is troubling, for it empowers unscrupulous actors to leverage the
clearinghouse as a tool for disruption of service and to gain competitive
advantages. Specifically, without human oversight,
the following situations may occur:

An attacker can counter-challenge the
exception for a legitimatethird party, thereby temporarily blocking
the ability of thatthird party to set cookies.

Multiple attackers can counter-challenge a
wide range of legitimate third parties, thereby overloading the staff of the
Cookie Clearinghouse, further damaging those legitimate third parties.

Multiple attackers can file challenges as well
as counter-challenges to those same challenges, to further increase the
workload of the Cookie Clearinghouse staff.

An unscrupulous actor can indicate that it is
a legitimatethird party, thereby gaining the ability to setthird
party cookies, and can then migrate to a new domain as soon as a
counter-challenge is raised. If done in tandem with a persistent attack on the
ability of the Cookie Clearinghouse staff to review counter-challenges, this
advantage may be longstanding.

The creation of a centralized, automated “toggle” exposes all web
sites that depend on third party resources to potential disruption. However, staffing to validate each and every
challenge manually is not feasible, either.
By attempting to enhance individual isolationism on the Web, Mozilla
could instead turn it into a bureaucratic war zone of competing interests.

Firefox’s
Henhouse

For years, Mozilla has portrayed itself as one of the good actors
on the Wild West of the Web - a digital Jimmy Stewart out to tame the
evil-doing Liberty Valance’s of the virtual world, making it safe for the
citizenry to raise barns and families and towns. “Our mission,” Mozilla proclaims, “is to
promote openness, innovation & opportunity on the Web.”

Underlying this mission is a declaration of sorts, something the
California foundation labels “The Mozilla Manifesto.” Among its
10 principles are:

2.
2. The Internet is a global public resource that must remain open and accessible.

6.
6. The effectiveness of the Internet as a public
resource depends upon interoperability (protocols, data formats, content),
innovation and decentralized
participation worldwide.

The creation of a centralized gate to participation in the digital
economy seems to run counter to the goals of an open, accessible, decentralized
Internet. Deciding centrally what is
best for consumers - and rendering explicit judgments that individual
isolationism is preferable to a diversity of information on the Internet -
appears to defy Mozilla’s charter.

Perhaps worse is the organization’s blindness to its own
potential, as it evolves inside a cocoon spun by techno-libertarians and
academic elites who believe in liberty and freedom for all, as long as they get
to decide the definitions of liberty and freedom. By dealing exclusively with
the issue of controls around cookies, Mozilla is missing a great opportunity to
talk about the options for identity management and safety in a larger
scope. A solution that empowers consumer
choice in both the mobile OS and desktop browser spaces would bring
significantly more value to all involved parties, and allow Mozilla to promote
thought leadership with its nascent Mobile OS.

We’d like to work with Mozilla and other browser makers to get there.
In fact, Mozilla should consider this an open, public invitation to join the
IAB. We’ll even waive its annual dues for the first year, just to get its
people participating in what we do and understanding more deeply the concerns
of the digital advertising industry. The same goes for the browser teams at
Apple, Google, and Microsoft. These companies already are members of the IAB,
some of them highly participatory, but their browser teams remain generally uninvolved
in what we do. We are looking to these browser makers, and the other would-be
gatekeepers of the Internet, to work with us to resolve a critical social,
economic, and cultural dilemma - how to balance the desire for privacy with the
value of cultural diversity.

Unfortunately, the new proposal from Mozilla is not that
resolution. Rather, it and other browser makers continue to fight their solo
war against each other, leaving the rest of us as potential collateral damage.

So to summarize, here’s what we would like to see from Mozilla:

Block the ad-blockers, and turn your backs on
those who delight in destroying others’ livelihoods.

Don’t align yourself with individuals and
groups whose history shows them unwilling to strive for consensus among
multiple stakeholder groups.

Strive to protect user privacy and anonymity,
but understand that these are different than user isolationism.

Show publishers, agencies, and marketers that
you care about their businesses, and work toward solutions that help content
get distributed and fairly compensated.

Elevate the diversity of Web content to your
highest value of all. And work with us to achieve it.